Home
Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
Configuring
Use this information to configure your network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters.
Configuring directory services
This section describes how to plan, set up, and use HCL Domino® directory services.
The LDAP service
Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managing entries in a directory, where an entry has one or more attributes associated with a distinguished name. A distinguished name -- for example, cn=Phyllis Spera,ou=Sales,ou=East,o=Renovations -- is a name that identifies an entry within a directory tree.
Customizing the LDAP service configuration
The default LDAP service configuration works without modification, but you can customize it to suit your needs. The following table describes the LDAP service configuration settings. In addition to the settings in the table, there are NOTES.INI settings you can use to configure the LDAP service.
Configuring alias dereferencing for search requests
The HCL Domino® LDAP service supports limited alias dereferencing for LDAP search requests. An alias, such as uid=jsmith,dc=renovations,dc=com, is an entry that points to another entry, such as cn=John Smith, ou=Sales, o=Renovations. Searching for the entry to which an alias points is known as dereferencing an alias. LDAP search requests often include base or filter components that use an LDAP alias. For example, the base may specify "uid=jsmith,dc=renovations,dc=com" or the filter may specify "uid=jsmith".

Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
- Translated documentation
  The HCL Domino 11.0.1 documentation is currently available in the following languages.
- What's new in Domino® 11?
  Learn about all of the new features for administrators in HCL Domino® 11.
- Overview
  Welcome to HCL Domino® Administrator Help.
- Domino trial
  A trial version of HCL Domino® 11.0.1 is available free of charge.
- Installing
  Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
- Planning
  Use this topic as an overview of planning task.
- Configuring
  Use this information to configure your network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters.
  - Configuring a network
    This section presents the planning concepts and setup procedures necessary for a successful HCL Domino® deployment over a network. It provides information on network protocols from a Domino perspective but does not attempt to provide general network information.
  - Configuring users and servers
    Topics in this section describe how to set up users and servers.
  - Editing the NOTES.INI file
    You should rarely, if ever, need to modify a server's or client's NOTES.INI file. The NOTES.INI file contains many settings that Domino® and Notes® rely on to work properly. An accidental or incorrect change may cause Domino or Notes to run unpredictably. Therefore, you should edit the NOTES.INI file only if special circumstances occur or if Support recommends that you do so.
  - Configuring directory services
    This section describes how to plan, set up, and use HCL Domino® directory services.
    - The Domino® Directory
      The Domino® Directory, which some previous releases referred to as the Public Address Book or Name and Address Book, is a database that Domino creates automatically on every server. The Domino Directory is a directory of information about users, servers, and groups, as well as custom entries you may add. Registering users and servers in a domain automatically creates corresponding Person documents and Server documents in the Domino Directory for the domain. These documents contain detailed information about each user and server.
    - The LDAP service
      Lightweight Directory Access Protocol (LDAP) is a standard Internet protocol for searching and managing entries in a directory, where an entry has one or more attributes associated with a distinguished name. A distinguished name -- for example, cn=Phyllis Spera,ou=Sales,ou=East,o=Renovations -- is a name that identifies an entry within a directory tree.
      - How the LDAP service works
        When the LDAP task is running on a server, the server can listen for and process LDAP client requests. By default, the LDAP task runs automatically on the administration server for the Domino® Directory. The schema daemon spawned by the LDAP task on the administration server uses the Domino LDAP Schema database to propagate schema changes to any other servers in the domain that run the LDAP service. The LDAP task on the administration server for the LDAP service domain Domino Directory also verifies the directory tree to ensure the LDAP service complies with the standard LDAP requirement that each part of a distinguished name has an entry in the directory that represents the name part as an object class.
      - Setting up the LDAP service
        Before you set up the LDAP service, make sure you understand TCP/IP concepts, including DNS host names and IP addressing.
      - Starting and stopping the LDAP service
        You can start and stop the LDAP service automatically or by using commands at the server console.
      - Customizing the LDAP service configuration
        The default LDAP service configuration works without modification, but you can customize it to suit your needs. The following table describes the LDAP service configuration settings. In addition to the settings in the table, there are NOTES.INI settings you can use to configure the LDAP service.
        Changing the LDAP service port and port security configuration
        By default, LDAP clients can connect to the LDAP service over TCP/IP port 389, anonymously or using name-and-password authentication. By default, LDAP clients cannot connect using SSL.
        Full-text indexing directories served by the LDAP service
        The LDAP services uses hidden views in a Domino® Directory or extended directory catalog to search for entries when LDAP users specify names or mail addresses in a search filters. When LDAP users specify other attributes as search criteria, the LDAP service searches the full-text index, if one is created. If your LDAP users search on attributes other than names or mail addresses, create a full-text index for the directories the LDAP service serves to improve the speed of these types of searches.
        Configuring anonymous LDAP search access to a directory
        You can allow anonymous LDAP access to a directory if the TCP/IP and/or SSL port configuration for the LDAP service allows it.
        Using LDAP to modify a directory served by the LDAP service
        By default, the LDAP service does not allow LDAP clients to modify the directories served by the LDAP service.
        Configuring how the LDAP service responds to multiple name matches when processing write and compare operations
        You specify the rules to follow when a directory is the primary directory and there are multiple matches on the distinguished name being compared or modified for all servers in the domain that run the LDAP service.
        Customizing search processing to improve LDAP service performance
        To improve the performance of the LDAP service, you can choose options to customize how the service processes searches. These settings apply to all servers in a domain that run the LDAP service.
        Enabling LDAP alternate language searches
        To enable LDAP alternate language searches, you configure the LDAP service to allow them, and add the language tags to entries. Use an Alternate Language Information document in the Domino® Directory to add language tags to a Person document. Use LDAP add and modify operations to add language tags to any other type of entry.
        Requiring distinguished logon names for LDAP name-and-password security
        To conform to RFCs 2251 through 2254, you can use the LDAP service option DN Required on Bind? to require that an LDAP client that binds using name-and-password security to any LDAP service running in the domain use their fully qualified LDAP distinguished name as their LDAP client logon name. In a Person document in the Domino® Directory, the distinguished name is the first value in the FullName field, labeled User Name. By default, the LDAP service doesn't require an LDAP client to use the distinguished name as a logon name.
        Configuring character encoding for LDAP V2 clients
        By default, the LDAP service uses UTF-8 character encoding when returning results with international characters to LDAP V2 clients. Although the LDAP V2 RFC does not support the use of UTF-8, the default behavior ensures that LDAP V2 clients such as EudoraPro 4.1, which uses UTF-8, can work well with the LDAP service.
        Configuring the number of referrals the LDAP service can return
        When the LDAP service uses secondary directories through directory assistance, there are circumstances where it cannot adequately service a client's read (search, compare) or write (add, modify, modify DN) request and may return a referral to the client. A referral is a redirection in the form of a URL to another LDAP server that might be able to service the client requesting.
        Configuring alias dereferencing for search requests
        The HCL Domino® LDAP service supports limited alias dereferencing for LDAP search requests. An alias, such as uid=jsmith,dc=renovations,dc=com, is an entry that points to another entry, such as cn=John Smith, ou=Sales, o=Renovations. Searching for the entry to which an alias points is known as dereferencing an alias. LDAP search requests often include base or filter components that use an LDAP alias. For example, the base may specify "uid=jsmith,dc=renovations,dc=com" or the filter may specify "uid=jsmith".
      - Setting up clients to use the LDAP service
        You can set up both non-Notes clients and Notes® clients to use the LDAP service running on a specific server.
      - Using LDAP to search a Domain index
        If the LDAP service is running on a server that stores a Domain Index, you can develop an LDAP application to search the Domain Index for all documents that contain a specific text string and then return specific attributes of these documents.
      - Monitoring the LDAP service
        You can show the current LDAP service configuration settings, as well as show statistics related to LDAP service port activity.
      - RFCs supported by the LDAP service
        The Domino® LDAP service supports the RFCs described in the following table.
    - LDAP schema
      A directory entry contains information about a particular entity, or object -- for example, a person or a group -- and is associated with a distinguished name. An LDAP schema is a set of rules that define what can be stored as entries in an LDAP directory. Each LDAP directory has a default schema, which organizations can customize, or "extend," by adding elements to it. The elements of a schema are attributes, syntaxes, and object classes. LDAP directory servers provide the ability to enforce the schema to ensure that directory changes made using LDAP operations conform to it.
    - ldapsearch utility
      Domino® and Notes® provide a command-line search utility, LDAPSEARCH.EXE, that you use to search entries in any LDAP directory. The ldapsearch utility connects to a directory server and returns results that match search criteria you specify. It is available on Domino server and Notes client platforms.
    - Directory assistance
      Directory assistance allows a server to look up information in a directory other than a local primary Domino® Directory (NAMES.NSF).
    - Directory Sync
      Directory Sync allows you to sync people and group data from an external LDAP directory into the Domino® directory. Currently data from Active Directory can be synced.
    - Directory catalogs
      A directory catalog is an optional directory database that typically contains information aggregated from multiple Domino® directories. Clients and servers can use a directory catalog to look up mail addresses and other information about the people, groups, mail-in databases, and resources throughout an organization, regardless of the number of Domino domains and Domino Directories the organization uses.
    - Extended ACL
      An extended access control list (ACL) is an optional directory access-control feature available for a directory created from the PUBNAMES.NTF template -- a Domino® Directory or an extended directory catalog. An extended ACL is tied to the database ACL, and you access it through the Access Control List dialog box using a Notes® or Domino Administrator client.
    - Setting up Domino® Active Directory synchronization (Deprecated)
      When the Domino® server is installed on a Microsoft™ Windows™ 2003 server, as an administrator, you typically need to maintain two separate directories for the same set of people and groups. Maintaining user and group information involves adding entries to both directories, deleting entries, ensuring that passwords are the same when users use Notes® Single Logon, coordinating group membership in both directories, and ensuring that user or group settings, such as email addresses and telephone numbers, are identical.
  - Configuring messaging
    This section provides an overview of messaging and describes how to set up mail routing, how to set up and customize mail servers, and how to track mail.
  - Configuring iNotes®
    HCL iNotes® provides HCL Notes® users with browser-based access to Notes mail and to Notes calendar and scheduling features. Administrators specify mail policy and security policy settings as well as notes.ini file settings to complete the full implementation of HCL iNotes.
  - Configuring Web servers
    This section describes how to set up the HCL Domino® Web server, and the Domino Web Navigator.
  - Setting up a cluster
    Setting up a cluster includes the tasks of creating and verifying that it is working correctly, and then setting up user access, mail, replications, size quotas, directory assistance, roaming, web navigation, and use of a private LAN in the cluster.
- Securing
  This section describes security features, including execution control lists, IDs, and SSL.
- Administering
  This documentation provides information about the administration tools for managing and monitoring servers and databases.
- Tuning
  Use this information to improve HCL Domino® server, Domino Web server, and messaging performance through the use of resource balancing and activity trends, Server.Load commands, advanced database properties, cluster statistics, and the Server Health Monitor.
- Troubleshooting
  This section describes how to find and solve problems with HCL Domino® server and Administrator client.
- Notices

Configuring alias dereferencing for search requests

The HCL Domino® LDAP service supports limited alias dereferencing for LDAP search requests. An alias, such as uid=jsmith,dc=renovations,dc=com, is an entry that points to another entry, such as cn=John Smith, ou=Sales, o=Renovations. Searching for the entry to which an alias points is known as dereferencing an alias. LDAP search requests often include base or filter components that use an LDAP alias. For example, the base may specify "uid=jsmith,dc=renovations,dc=com" or the filter may specify "uid=jsmith".

About this task

Alias dereferencing only works on aliases for People and Groups.

Alias dereferencing only works for alias entries that do not point to another alias.

Alias dereferencing does not work for 'container' entries, that is, entries in a directory that have entries under them. For example, an example of an alias entry that is a container entry would be o=Renovations. Use the following steps to enable alias dereferencing for the LDAP service.

Procedure

From the Domino® Administrator, open the server that runs the LDAP service, or a server in the same domain as the one that runs the LDAP service.
Click the Configuration tab.
In the navigation pane, expand Directory, then LDAP, and then select Settings.
On the LDAP tab, click Yes for the setting Allow dereferencing of alias entries for search requests?.
Click Save & Close.

What to do next

After you enable LDAP dereferencing of alias entries in the Configuration document, you can add alias entries to Person or Group documents.

Add the alias entry after the first entry in the User Name field of the Person document or the Group Name field in the Group document. Do not change the first entry, as this is the HCL Notes® Distinguished Name (DN). You must specify the alias in Distinguished Name syntax, using forward slash characters (/) as name component separators rather than commas (the LDAP DN syntax).

As with all DNs, the Domino® LDAP server converts the forward slashes to commas when returning the alias name in a search result.

Examples:

John Smith/West/Sales

John_Smith@renovations.com

uid=jsmith/dc=renovations/dc=com

email=John_Smith@renovations.com

Note: Enabling alias dereferencing can affect search performance. Careful consideration of this performance implication should be given when deciding whether to enable alias dereferencing on the Domino® LDAP server.